[Moin-user] Moinmoin security and exploits

[Thomas Waldmann]

> more about moin's security.  I notice that Twiki has a security page
> with security alerts and fixes
> (http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlerts).  Is there
> anything like that for moinmoin?

We didn't have reason yet to make such a page.

But I think in case of a severe security issue in a current moin 
release, you would find something on MoinMoin:FrontPage and soon after a 
new release on Sourceforge.

> I general, I need to know what moin's vulnerabilities are and what steps
> I need to take to guard against them.

We rarely make use of external tools and shell calls, so that kind of 
problem is quite improbable.

In general, it is a good idea to run services on a low priviledge level 
and with separate users. And to have backups, of course.

 > I would assume that Python would have security issues as well?

The buffer overflow problems often leading to exploits in C code can't 
happen in moin code, because it is Python and in Python buffers do not 
overflow, they just grow.

But as the Python interpreter and some of its libraries are implemented 
in C, buffer overflows CAN happen THERE (if there is a bug), but those 
issues are VERY rare.

I think I remember only 1 or 2 security issues in Python or its libs in 
the last years and afaik moin never was affected.

The problems moin had a few times were mostly on a higher level, e.g. 
ACLs not working in special cases or privacy issues, so you could see a 
wiki page you shouldn't or an email address of somebody who might not 
wanted it published.

Sometimes, this was due to bugs, sometimes rather due to old code that 
wasn't written with privacy in mind.